| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by kees99 3116 days ago

  firmware sends six DNS requests and
  one NTP query every 5 seconds
  (...snip...)
  TP-Link has hardcoded the following non-configurable
  NTP servers and server pools in their firmware:
  (...snip...)
  au.pool.ntp.org, nz.pool.ntp.org

Wait... so TP-Link is effectively DDoSing NTP pool?

Also, as pointed out in another thread here, vendor using country prefix instead of applying for their own prefix is a violation of:

http://www.pool.ntp.org/en/vendors.html

..which was put in place as a reaction to incidents just like this one:

https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#No...

2 comments

zaarn 3116 days ago

A NTP request every couple seconds is similarly in violation of the vendor guidelines, once every 10 minutes or less often is stated.

link

nacs 3116 days ago

Would it be possible for the NTP server to detect what type of device/OS is sending the request and block it (ie: could au/nz.pool.ntp.org servers block all TP-Link requests to teach them a lesson)?

If they can't do that maybe they can just detect IPs that are making requests every 5 seconds as the TP-Link products are doing and block those since they're in violation of the once-every-10-minutes-maximum rule for the NTP servers)?

link

mattstreet 3116 days ago

I'm a bit rusty, but I believe the way NTP works (at least the reference version which is commonly used) is that if a client sends too many requests in a short time, they are ignored except to reply with a "back off packet" which is called the KoD (Kiss of death) in NTP terms.

Security audits have found some issues with abusing the KoD so I'm not sure if it still works like that or if it tends to be disabled. (I was on one of the teams doing the audit, I found the "Skeleton Key" defect)

https://www.eecis.udel.edu/~mills/ntp/html/rate.html#kiss

If you wanted to help the server deal with DoS even better, I would guess the best solution is to put a rate limiting firewall in front of it.

link

samstave 3116 days ago

Out-of-the-loop: what products are using TP-Link?

Aside: maybe there should be a governing body for comm protocol behavior? (Semi sarcastic)

link

ganoushoreilly 3116 days ago

TP-link is a manufacturer of multiple devices and an OEM for others. I would imagine, if consistent across firmwares, there are a lot of requests being made. https://en.wikipedia.org/wiki/TP-Link

link